Fortnightly - NERC Critical Infrastructure Protectionhttps://www.fortnightly.com/tags/nerc-critical-infrastructure-protection
enBetter Safe Than Complianthttps://www.fortnightly.com/fortnightly/2011/08/better-safe-compliant
<div class="field field-name-field-import-deck field-type-text-long field-label-inline clearfix"><div class="field-label">Deck:&nbsp;</div><div class="field-items"><div class="field-item even"><p>Protecting the smart grid requires a broader strategy.</p>
</div></div></div><div class="field field-name-field-import-byline field-type-text-long field-label-inline clearfix"><div class="field-label">Byline:&nbsp;</div><div class="field-items"><div class="field-item even"><p>Ernie Hayden</p>
</div></div></div><div class="field field-name-field-import-category field-type-text field-label-inline clearfix"><div class="field-label">Category:&nbsp;</div><div class="field-items"><div class="field-item even">Technology Corridor</div></div></div><div class="field field-name-field-import-bio field-type-text-long field-label-inline clearfix"><div class="field-label">Author Bio:&nbsp;</div><div class="field-items"><div class="field-item even"><p><b>Ernie Hayden</b> (<a href="mailto:ernie.hayden@verizon.com">ernie.hayden@verizon.com</a>) is managing principal, energy security in the energy and utility practice at Verizon.</p>
</div></div></div><div class="field field-name-field-import-volume field-type-node-reference field-label-inline clearfix"><div class="field-label">Magazine Volume:&nbsp;</div><div class="field-items"><div class="field-item even">Fortnightly Magazine - August 2011</div></div></div><div class="field field-name-body field-type-text-with-summary field-label-hidden"><div class="field-items"><div class="field-item even"><p>When Heather Adkins, Google’s incident response manager, told her fellow security managers last February<sup>1</sup> that “Compliance is the death of security,” she was reflecting the lessons learned by having one of the world’s largest bullseyes painted on her company’s back—and the burden of being accountable for maintaining the integrity of systems that handle several hundred million inquiries from more than 90 million different users every day.</p>
<p>This reality of today’s cyber-threat environment will become more apparent to utility security managers in coming months and years as the industry builds out a smart grid that will more closely resemble the larger, more complex Google network, or an advanced telecom system, than it does traditional in-house communications and control systems.</p>
<p>With the stakes of success measured in the reliable delivery of essential electric power rather than serving up an email message or music video, utility managers and regulators have good reason to feel both increased pressure to perform and heightened concern about their systems’ ability to provide reliable delivery and maintain cyber security.</p>
<p>More than 60 percent of respondents to a 2010 industry survey of utilities and energy companies by the Ponemon Institute reported being extremely or moderately concerned about the threats to their networks from hackers, employees and vendor errors; and 70 percent doubted their ability to apply NERC CIP security standards in their communications and IT networks.</p>
<p>Couple that industry self-analysis with the same survey’s finding that more than half of the country’s power plant and critical infrastructure computer networks have suffered sophisticated infiltrations. Then factor in that the DOE’s inspector general has concluded that FERC and its cooperating organizations might not be able to identify and mitigate cyber security vulnerabilities in the U.S. electric system. Conclusion: We have a problem.</p>
<h4>Problem Solving</h4>
<p>The U.S. utility industry has a history of successfully addressing problems of this magnitude and greater, from harnessing the nation’s hydro power, to recovering from huge natural disasters such as Hurricane Katrina or the Joplin tornado, to moving past the Three Mile Island accident. This has been due in large part to the industry’s engineering skills, can-do attitude, and ability to organize and manage its resources in a hierarchical manner to define project objectives and create significant in-house capabilities for delivering solutions.</p>
<p>Over the decades, the consensus that reliability is the industry’s overarching objective has, in general, made sufficient resources available for the systems, staffing and infrastructure needed to surmount problems, accommodate growth and maintain standards. But the cyber security threat is entirely different, posing new potential risks to millions of individuals in a way that isn’t easy to combat centrally and resists easy risk-cost-reward valuation.</p>
<p>But here’s the rub.</p>
<p>The emphasis on cyber security for the North American bulk electric system takes the form of the NERC Critical Infrastructure Protection (CIP) standards. These standards really set a minimum level of security performance for the utilities to comply—and only for the high voltage transmission systems, not the distribution grid. Unfortunately, a compliance checklist approach—which the NERC CIPs tend to require—might inherently lack the scope and adaptability needed to counter digital adversaries’ continually emerging and evolving strategies and tactics. In other words there’s a tendency by regulators and legislators to enforce security through compliance with the NERC CIP standards and not necessarily to focus on protecting the most critical assets or addressing the highest cyber risks.</p>
<p>“Hackers don’t have checklists,” said Chris Villarreal, the California Public Utilities Commission’s smart grid staff lead, at the Utilities Telecom Council’s Smart Grid Policy Summit in April, adding that utilities can’t think they’re secure by simply checking off a list of compliance requirements.</p>
<h4>Hamstringing Security</h4>
<p>Having recognized the immediacy and scale of the smart grid cyber security challenge, utility management and regulatory officials understandably feel a great deal of urgency to show their customers, ratepayers and constituents that they are taking appropriate and effective protective action. Ironically, moving quickly without a complete understanding of the technical, policy and regulatory implications for the security environment can produce results that don’t necessarily address the highest threats.</p>
<p>For instance, compliance with the NERC CIP standards might not prevent Stuxnet-like attacks. Additionally, the NERC CIP standards don’t apply to the distribution grid, where most of the smart grid deployments are taking place.</p>
<p>In another example, consider the new smart meters that are now being installed. Currently there are no specific cyber security standards in place for smart meters; however, that doesn’t preclude aggressive testing of the meters to identify vulnerabilities and establish corrective fixes to make the meters more secure. Unfortunately in a compliance-focused environment, proactive security testing of meters might not be encouraged or even considered valid. And the expense of the testing isn’t considered “required,” and thus it’s excluded from the system design and deployment.</p>
<p>Lack of coordination among multiple federal, state and regional jurisdictions asserting authority over smart grid security is also likely to generate confusion, conflicts and unsupported confidence in system security. Already, the California PUC is expecting to issue its own cyber security standards in the face of early smart grid rollouts, and other states, including Ohio and New York, have similar inquiries in the works. But such action would still generate confusion and inconsistent implementation of these standards, because the California PUC only has jurisdiction over the investor-owned utilities in the state (<i>e.g.</i>, San Diego Gas &amp; Electric, Southern California Edison, and Pacific Gas &amp; Electric) thus excluding such large public utilities as Los Angeles Department of Water and Power (LADWP) and Sacramento Municipal Utility District (SMUD).</p>
<p>The combined effects of well-intentioned early action and incomplete or contradicting guidelines from various jurisdictions increases the likelihood that the policy and operational focus will remain on compliance—reporting and documentation that can be mandated and measured—rather than a more holistic, risk-based philosophy that has been used successfully in the non-utility world, and is a foundation of U.S. federal agency information security programs.</p>
<h4>Holistic Risk-Based Answers</h4>
<p>Because the smart grid’s ability to deliver intelligence will be the result of secure two-way data flow throughout a system of meters, switches, gateways, SCADA/EMS control centers, databases and energy sources, the entire system must be viewed holistically and the data must be protected from the meter to the utility and back. In addition, utilities and regulators will need to take a new holistic view of resource allocation and performance expectations, balancing—or allowing the market to balance—benefits, risks and costs.</p>
<p>As Gartner Research observed in its April 2010 report <i>The Myth of Smart Grid Security</i>, “There is no such thing as perfect security, and residual risk will always be an issue. Utilities need to assess the risks and make good decisions over which controls are reasonable and appropriate to their situation.” Of course, this approach might be problematic with the regulators. However, simple legislation and adding more rules might not help fill the gap to maintain security of the transmission and distribution grids. Therefore, there needs to be a balance between the accountability on which regulatory systems rely and the flexibility needed to respond to changing risks.</p>
<p>The weakest link in this chain will be different in every system and will change from day to day. Each link could yield a potential vulnerability to allow penetration by outsiders and chances of damaging mistakes by employees. But both cyber- and physical security vigilance across this system will be the price for the immense opportunities of real-time pricing, load and consumption management, cost savings, improved environmental impact, and more effective distributed power integration.</p>
<p>The industry has taken productive initial steps to increase cyber security vigilance with NERC CIP mandates—which don’t directly address all smart grid deployments because of the NERC CIP focus on the bulk electric system. These actions have included participation in the NERC Smart Grid Task Force, the NIST Smart Grid Cyber Security Working Group, and GridWise, to name a few.</p>
<p>But in the intensive next phases of work to be done to protect the confidentiality, integrity, and availability of the smart grid’s two-way data streams, the industry needs to consider a risk-based, holistic security approach that’s more consistent with major global standards, such as ISO27001 and NIST 800-39, which are used across many industries worldwide.</p>
<p>Work is underway on that front. “NERC recognizes that there needs to be additional emphasis on identifying critical assets and increasing the focus on risk-based approaches to security,” observes Mark Weatherford, NERC vice president and chief security officer. “NERC, DOE, NIST and selected utilities are currently working together in a public-private collaboration to develop cyber security risk management guidelines that provide a consistent, repeatable, and adaptable process for the entire electricity sector. These voluntary guidelines sit on top of current CIP standards and will enable organizations to proactively manage risk.”</p>
<h4>Tiered Defense &amp; Tools</h4>
<p>In implementation, utility smart grid deployments must be able to contend with potential threats on three levels: administrative, physical and logical security. In assuring the adequacy and currency of implementation, utilities and regulators must develop an expanded focus with a range of evaluation and oversight requirements that go beyond the current NERC CIPs, which tend to be more of a required minimum.</p>
<p>An effective, comprehensive tiered defense structure functions on four primary levels:</p>
<p>1) <i>Risk framework:</i> The foundation for an effective security approach is to evaluate your assets and identify those that are most critical—<i>i.e.</i>, critical data stores, critical assets most important to the utility’s core purpose, etc. Then with these assets in mind, identifying the key threats to the utility and the vulnerabilities of concern can help lead to a comprehensive security defense focused on protecting the critical assets.</p>
<p>2) <i>Administrative security:</i> Policies and standards for the organization and its vendors to maintain a secure network, including development of a robust program, identification of leadership, determination of key smart grid assets, a security exception management process, an information protection program, policies on change control and configuration management, an audit and oversight function, and properly trained personnel.</p>
<p>3) <i>Physical security:</i> Protection of critical assets and smart grid components and systems from direct physical attack or environmental impact by use of fences, surveillance systems, robust component design, and alert systems.</p>
<p>4) <i>Logical security:</i> Processes and steps to protect the digital data flowing through the system, including encryption, authentication requirements, application security controls, security patches, malware removal, maintenance hooks, and testing and hardening,</p>
<p>Constant vigilance will be required to maintain cyber security, including focused awareness of the threats, continuous monitoring for intrusion or abnormalities, real-time reporting and monitoring of metrics, and preparation of and practicing an incident management and recovery plan.</p>
<p>To address and move beyond current compliance and oversight standards, utilities will need to expand their focus. Basic NERC CIP compliance should be extended to cover non-routable protocols and associated electronics and systems that are important to the control and reliability of the electric grid. Regulators also should adopt a performance-based oversight and assessment scheme to focus on a utility’s actual security posture and performance, rather than on the quality or content of its supporting paperwork. In other words, utilities should first spend their resources on identifying and protecting the critical assets, then complete the NERC CIP paperwork.</p>
<p>Additionally, the industry should consider risk-based security practices from other industries, such as defense, banking, and financial services, including improved monitoring and alerting capabilities in a holistic, risk-based perspective.</p>
<p>Utilities should implement best practices defined by internationally recognized ISO standards, such as ISO27001/2, that are focused on risk-management and will establish a base of fundamental performance-oriented security practices on which the organization can build.</p>
<p>Finally, we should learn lessons from industrial controls failures and data breach investigations. As the strategies, tactics and technologies used by those attempting to invade secure systems evolves, an important response by security professionals as an industry is to gather information about attempted and successful invasions as a basis for updating and adjusting standards and procedures. Utilities will move to a higher level of preparedness by participating in this process.</p>
<p>The deployment of the smart grid will bring an increasingly complex command, control and information system and a multiplicity of new communications paths with two-way data flows. This is likely to open new vulnerabilities to attacks on the confidentiality, integrity and availability of data belonging to individuals, businesses, organizations and governmental units. Utilities must develop new protection processes to complement those already in place to protect systems and other assets, in order to be better prepared to address not only deliberate attacks from disgruntled employees, competitors and terrorists, but also inadvertent compromises of information due to errors, equipment failures and natural disasters.</p>
<p>With a secure and reliable communications infrastructure incorporating a tiered, risk-based defense system and available tools and standards, it will be entirely feasible to have a smart grid that is as smart as it should be from end to end.</p>
<p>And on the way to that point, the entire utility industry will learn that security is the life of compliance.</p>
<p> </p>
<h4>Endnotes:</h4>
<p>1. RSA Conference 2011, San Francisco.</p>
</div></div></div><div class="field field-name-field-article-category field-type-taxonomy-term-reference field-label-above clearfix"><h3 class="field-label">Category (Actual): </h3><ul class="links"><li class="taxonomy-term-reference-0"><a href="/article-categories/security-reliability-cip">Security, Reliability &amp; CIP</a></li><li class="taxonomy-term-reference-1"><a href="/article-categories/smart-grid">Smart Grid</a></li></ul></div><div class="field field-name-field-members-only field-type-list-boolean field-label-above"><div class="field-label">Viewable to All?:&nbsp;</div><div class="field-items"><div class="field-item even"></div></div></div><div class="field field-name-field-article-featured field-type-list-boolean field-label-above"><div class="field-label">Is Featured?:&nbsp;</div><div class="field-items"><div class="field-item even"></div></div></div><div class="field field-name-field-department field-type-taxonomy-term-reference field-label-above clearfix"><h3 class="field-label">Department: </h3><ul class="links"><li class="taxonomy-term-reference-0"><a href="/department/technology-corridor">Technology Corridor</a></li></ul></div><div class="field field-name-field-image-picture field-type-image field-label-above"><div class="field-label">Image Picture:&nbsp;</div><div class="field-items"><div class="field-item even"><img src="https://www.fortnightly.com/sites/default/files/article_images/1108/images/1108-TC.jpg" width="1143" height="1500" alt="" /></div></div></div><div class="field field-name-field-fortnightly-40 field-type-list-boolean field-label-above"><div class="field-label">Is Fortnightly 40?:&nbsp;</div><div class="field-items"><div class="field-item even"></div></div></div><div class="field field-name-field-law-lawyers field-type-list-boolean field-label-above"><div class="field-label">Is Law &amp; Lawyers:&nbsp;</div><div class="field-items"><div class="field-item even"></div></div></div><div class="field field-name-field-tags field-type-taxonomy-term-reference field-label-above clearfix">
<div class="field-label">Tags:&nbsp;</div>
<div class="field-items">
<a href="/tags/california-public-utilities-commission">California Public Utilities Commission</a><span class="pur_comma">, </span><a href="/tags/chris-villarreal">Chris Villarreal</a><span class="pur_comma">, </span><a href="/tags/cip">CIP</a><span class="pur_comma">, </span><a href="/tags/commission">Commission</a><span class="pur_comma">, </span><a href="/tags/cyber-security-working-group">Cyber Security Working Group</a><span class="pur_comma">, </span><a href="/tags/doe">DOE</a><span class="pur_comma">, </span><a href="/tags/ems">EMS</a><span class="pur_comma">, </span><a href="/tags/ferc">FERC</a><span class="pur_comma">, </span><a href="/tags/gartner">Gartner</a><span class="pur_comma">, </span><a href="/tags/gartner-research">Gartner Research</a><span class="pur_comma">, </span><a href="/tags/google">Google</a><span class="pur_comma">, </span><a href="/tags/gridwise">GridWise</a><span class="pur_comma">, </span><a href="/tags/heather-adkins">Heather Adkins</a><span class="pur_comma">, </span><a href="/tags/infrastructure">Infrastructure</a><span class="pur_comma">, </span><a href="/tags/iso">ISO</a><span class="pur_comma">, </span><a href="/tags/it">IT</a><span class="pur_comma">, </span><a href="/tags/mark-weatherford">Mark Weatherford</a><span class="pur_comma">, </span><a href="/tags/nerc">NERC</a><span class="pur_comma">, </span><a href="/tags/nerc-critical-infrastructure-protection">NERC Critical Infrastructure Protection</a><span class="pur_comma">, </span><a href="/tags/nerc-smart-grid-task-force">NERC Smart Grid Task Force</a><span class="pur_comma">, </span><a href="/tags/nist">NIST</a><span class="pur_comma">, </span><a href="/tags/nist-smart-grid-cyber-security-working-group">NIST Smart Grid Cyber Security Working Group</a><span class="pur_comma">, </span><a href="/tags/ponemon-institute">Ponemon Institute</a><span class="pur_comma">, </span><a href="/tags/sacramento-municipal-utility-district">Sacramento Municipal Utility District</a><span class="pur_comma">, </span><a href="/tags/scada">SCADA</a><span class="pur_comma">, </span><a href="/tags/security">Security</a><span class="pur_comma">, </span><a href="/tags/so2">SO2</a><span class="pur_comma">, </span><a href="/tags/southern-california-edison">Southern California Edison</a><span class="pur_comma">, </span><a href="/tags/stuxnet">Stuxnet</a><span class="pur_comma">, </span><a href="/tags/three-mile-island">Three Mile Island</a> </div>
</div>
Mon, 01 Aug 2011 04:00:00 +0000puradmin13530 at https://www.fortnightly.comCyber Attack! CIP Goes Livehttps://www.fortnightly.com/fortnightly/2008/01/cyber-attack-cip-goes-live
<div class="field field-name-field-import-deck field-type-text-long field-label-inline clearfix"><div class="field-label">Deck:&nbsp;</div><div class="field-items"><div class="field-item even"><p>Utilities are gearing up for cyber security compliance. Will the standards prove worthy?</p>
</div></div></div><div class="field field-name-field-import-byline field-type-text-long field-label-inline clearfix"><div class="field-label">Byline:&nbsp;</div><div class="field-items"><div class="field-item even"><p>Michael T. Burr</p>
</div></div></div><div class="field field-name-field-import-bio field-type-text-long field-label-inline clearfix"><div class="field-label">Author Bio:&nbsp;</div><div class="field-items"><div class="field-item even"><p><b>Michael T. Burr</b> is editor-in-chief of <em>Public Utilities Fortnightly</em>. Scott M. Gawlicki provided some content for this story. Email Michael at <a href="mailto:burr@pur.com">burr@pur.com</a>.</p>
</div></div></div><div class="field field-name-field-import-volume field-type-node-reference field-label-inline clearfix"><div class="field-label">Magazine Volume:&nbsp;</div><div class="field-items"><div class="field-item even">Fortnightly Magazine - January 2008</div></div></div><div class="field field-name-body field-type-text-with-summary field-label-hidden"><div class="field-items"><div class="field-item even"><p>When Alison Silverstein limped into an Arlington, Va., hotel meeting room in March 2002, few would have guessed the woman on crutches would throw down such a heavy gauntlet.</p>
<p>But broken foot notwithstanding, the senior policy adviser to then-FERC Chairman Pat Wood carried a weighty ultimatum. Just six months after the 9/11 terrorist attacks, she told members of the NERC Critical Infrastructure Protection Committee to secure the grid, or the federal government would secure it for them.</p>
<p>Actually Silverstein’s message was slightly more nuanced.</p>
<p>“I gave them two options,” she says. “One, you write the rules you want to live with; or two, I’ll get a bunch of federal bureaucrats who don’t know much about the utility industry to draft a set of rules. And you know what bureaucrats will do.”</p>
<p>The committee got the message. NERC began developing standards and guidelines for its members to use in securing the nation’s critical power infrastructure, particularly against cyber attack or misuse. But disagreements over the details — especially potential compliance costs — delayed the process and forced multiple revisions that made the standards more flexible and easier for the industry to meet.</p>
<p>“With the earlier drafts, the critical-asset standards were very specific,” says David Grubbs, transmission manager for City of Garland, Texas. “But there was so much opposition that what’s left is really nebulous. Now it’s really more of a risk-based analysis process.”</p>
<p>The Northeast blackout in 2003 raised the ante, turning attention toward reliability in general. The Energy Policy Act of 2005 (EPAct) created a legislative mandate for reliability standards, and led to NERC gaining enforceable authority as the FERC-designated Electric Reliability Organization (ERO).</p>
<p>Amid these upheavals, the CIP-standards process crawled forward. And finally — after five years, an act of Congress, a FERC staff report and a FERC NOPR — the final CIP standards are now emerging, accompanied by a compliance and enforcement regime <i>(see sidebar “ERO Enforcement Emerges”)</i>.</p>
<p>The good news is the CIP standards are working. “Maybe they aren’t perfect, but boy are they having the desired effect,” says Dale Peterson, president of cyber security consulting firm Digital Bond Inc. “We’ve seen a dramatic increase in the level of effort by a large number of utilities.”</p>
<p>That doesn’t mean, however, the cyber security journey is over — either in terms of implementation or policy development <i>(see “Commission Watch,” p.46)</i>. By all accounts, the industry is taking just the first shaky steps toward a more secure utility grid.</p>
<h4>Weak Links</h4>
<p>To be sure, the NERC CIP standards represent an historic achievement. They include the first mandatory cyber security requirements of their kind to be imposed on a U.S. private-sector industry. Considering the scope and sensitivity of the grid-security issue, developing a set of enforceable standards inevitably would entail a complex and contentious process. From that perspective, NERC, FERC and the industry have made remarkable progress, and their efforts deserve accolades.</p>
<p>“I’ve been very impressed by NERC’s leadership in this domain,” says Darren Highfill, utility communications security architect with EnerNex Corp. in Knoxville, Tenn. “From an organizational standpoint and within the scope of NERC’s charter, I think they’ve done a very good job. The CIP standards are procedural and not prescriptive. They cover all the bases and they are pretty well constructed.”</p>
<p>But as a first effort, the standards are destined for refinement, strengthening and possibly expansion as the industry discovers weak links in the regulatory fence.</p>
<p>For example, the standards give regulated entities the task of identifying which of their assets will be subject to regulation, with little specific guidance about how they should conduct the process. In effect, this means utilities decide what systems CIP-compliance auditors will examine if they come a-calling <i>(see “<a href="http://www.fortnightly.com/fortnightly/2008/01/cyber-attack-defining-critical-assets">Defining ‘Critical Assets</a>’”)</i>.</p>
<p>Additionally, the standards exempt many assets common sense suggests should be included in any logical definition of “critical infrastructure.” Speaking on condition of anonymity, a manager for a major T&amp;D utility told <i>Public Utilities Fortnightly</i>, “We operate the largest transmission system in our state and we may end up with the smallest number of critical cyber assets. That’s because most of our substations are not IP (Internet Protocol) or dial-up accessible.”</p>
<p>The CIP cyber standards govern only systems using IP communications, while many utilities’ control systems use serial or point-to-point connectivity <i>(See “<a href="http://www.fortnightly.com/fortnightly/2008/01/cyber-attack-lessons-learned-aurora-attack">Aurora Attack</a>”)</i>. “That’s a weakness in the standards,” the manager says. “They don’t require us to protect those assets.”</p>
<p>Additionally, the standards exclude assets regulated by the Nuclear Regulatory Commission (NRC)—which means some of the largest power plants on the grid, with the highest-profile safety issues, are exempted. (The NRC imposes its own security requirements on nuclear licensees.)</p>
<p>Also, the standards apply only to NERC-registered entities and others with assets that are critical to the bulk-electric grid—a term NERC defines in fairly general terms. NERC and most of its control areas consider 100 kilovolts the working threshold between distribution and bulk-power assets, but even that definition falls short.</p>
<p>“There is no universally accepted definition of bulk power,” says Tobias Whitney, compliance and infrastructure-protection practice leader at Burns &amp; McDonnell in St. Louis. “In practical terms, utilities generally consider it anything that could contribute to a cascading blackout like what happened in the Northeast. But there’s a gap between the definition and what’s practically considered the bulk-electric system.”</p>
<p>This gap could represent a dangerous loophole. To the degree utilities are uncertain about their compliance requirements, that uncertainty might expose the entire bulk grid to security risks. Further, the CIP standards don’t apply to interdependent infrastructure, such as pipelines and telecommunications networks, or to most municipal utility systems—even large ones with hundreds of thousands of customers.</p>
<p>“Some distribution systems are almost bulk systems,” says Larry Bugh, chief security officer at Reliability First, the NERC regional entity covering PJM. “Some distribution systems are operated in a fashion that could impact the reliable operation of the grid, at least in a local area. Do those folks need to think about infrastructure protection and cyber security? They probably do, but we have jurisdiction issues today.”</p>
<h4>Loose Standard</h4>
<p>The most obvious omissions from the CIP standards result from NERC’s focus on regional-grid reliability, rather than local distribution. Plus EPAct authorizes the ERO and FERC to regulate the bulk-electric system and nothing else.</p>
<p>“The NERC CIP standards point to interdependency issues with regard to coordination with other areas, such as fuel supply,” says Joseph H. McClelland, director of FERC’s Office of Electric Reliability. “The Commission’s authority under Section 215 of the Federal Power Act, however, does not extend to other infrastructure outside of the bulk-power system.”</p>
<p>Beyond those reasons, however, the administrative structure of NERC—as an industry-financed and industry-governed association—seems to have affected the way the standards evolved.</p>
<p>Several sources, speaking to <i>Fortnightly</i> on condition of anonymity, observed the NERC CIP standards were developed in a way that allows utilities to develop security strategies based on implementation cost and business implications, rather than an empirical risk threshold.</p>
<p>“The cyber-asset standard is loosely written,” says one utility manager. “NERC did that to get membership buy-in.”</p>
<p>Most notably, the standards repeatedly state that entities should use their “reasonable business judgment” in compliance. This leeway makes a certain amount of sense, because it helps ensure security requirements don’t cause unintended consequences, or result in unjustifiable investments. But it also results in an ill-defined and weak standard.</p>
<p>FERC noted as much in its July 20, 2007 NOPR: “The Commission acknowledges that cost can be a valid consideration in implementing the CIP reliability standards. However … it is unreasonable to allow each user, owner or operator to determine compliance with the CIP reliability standards based on its own ‘business interests.’ Business convenience cannot excuse compliance with mandatory reliability standards.”</p>
<p>The FERC NOPR directs NERC to remove the “business judgment” language from the CIP standards, and FERC’s comments in general suggest the standards will get tougher in the future. “FERC can throw back standards that aren’t good enough, as they already have done,” Silverstein says. “That forces NERC to rise above the lowest of its members’ interests, and write tougher standards.”</p>
<p>Nevertheless, to the degree the NERC administrative structure tolerates weak standards, it could leave the grid more exposed than it should be.</p>
<p>“NERC is in a weird position, with two conflicting masters—the regulator and the regulated,” Peterson says. “Now FERC is asking them to modify the standards, and NERC rules require a consensus of members. That’s backwards; regulated people don’t get to say, ‘Let us decide if this is acceptable.’ They will continue to have this problem until they structurally separate the ERO from the bulk-electric system.”</p>
<h4>First Steps</h4>
<p>Given NERC’s jurisdictional limitations and potential conflicts, many industry analysts question whether the organization is the right agency for promulgating and enforcing security standards for the industry. (NERC officials declined to comment for this story, given the organization’s policy on <i>ex-parte</i> communications.)</p>
<p>“The NERC CIP standards are really just a starting point,” says Joe Bucciero, senior vice president with KEMA Consulting in Philadelphia, Pa. “They’re a good start, but they’re certainly not enough. More needs to be done. Whether NERC is the right one to do it is another question.”</p>
<p>In particular, as the distribution grid becomes more automated, and operational systems get connected with enterprise systems, the bulk-power distinction loses relevance in terms of cybersecurity and critical infrastructure threats.</p>
<p>“With cyber systems crossing so many different areas, we need a super-NERC,” Bucciero says. “Maybe NERC should just focus on reliability, and a separate cyber counterpart should look across the industry, irrespective of the voltage level.”</p>
<p>Although FERC lacks the authority to take such a holistic approach to regulating security, the necessary authority might be available under the aegis of DOE or the Department of Homeland Security. Alternatively, Congress could enact new federal authority for such an agency.</p>
<p>Or perhaps such authority isn’t really necessary. Groups like IEEE successfully promulgate standards without legal authority, and in the long term a non-regulatory approach might prove more successful than stretching mandatory standards further than existing institutions feasibly could enforce. Apart from national-security level concerns, which the CIP standards are intended to address, perhaps cyber security should be treated the same as any other operational or business risk. Utilities might be expected to apply “reasonable business judgment” and protect their systems appropriately without an intrusive regulatory regime.</p>
<p>“You can’t be everybody’s mommy,” Silverstein says. “You can’t cover all the sharp edges in the world. People have to protect their own business interests and assets.”</p>
<p>In the short term, utilities have their hands full complying with the mandatory CIP standards, while also grappling with cyber security vulnerabilities outside the bulk-electric system. Indeed, NERC CIP compliance likely will be just the beginning of a long and complicated journey for the industry.</p>
<p>“This stuff is not easy or cheap,” Silverstein says. “These are huge operational changes. It seems to me you have to walk before you can run.”</p>
</div></div></div><div class="field-collection-container clearfix"><div class="field field-name-field-sidebar field-type-field-collection field-label-above"><div class="field-label">Sidebar:&nbsp;</div><div class="field-items"><div class="field-item even"><div class="field-collection-view clearfix view-mode-full field-collection-view-final"><div class="entity entity-field-collection-item field-collection-item-field-sidebar clearfix">
<div class="content">
<div class="field field-name-field-sidebar-title field-type-text field-label-above"><div class="field-label">Sidebar Title:&nbsp;</div><div class="field-items"><div class="field-item even">ERO Enforcement Emerges</div></div></div><div class="field field-name-field-sidebar-body field-type-text-long field-label-above"><div class="field-label">Sidebar Body:&nbsp;</div><div class="field-items"><div class="field-item even"><!--smart_paging_autop_filter--><!--smart_paging_filter--><p>Since the North American Electric Reliability Corp. (NERC) was identified as the federally mandated electric reliability organization (ERO), its leaders have worked to separate its enforcement functions from the rest of the organization.</p><p>“A lot of the influence the industry had on what NERC does, and the direction NERC takes, is no longer there,” says Larry Bugh, chairman of the NERC committee that drafted the CIP standards, and chief security officer at NERC’s Ohio-based reliability entity, Reliability First. “NERC is very aware of its role as the ERO and the independent enforcement arm of FERC. As with any change of this scope, there will be some lessons learned and growing pains, but NERC has taken a lot of steps already.”</p><p>NERC’s enforcement activities haven’t yet begun: The latest version of the CIP standards, which FERC’s July 2007 NOPR proposes to approve, would require utilities to be “auditably compliant” in 2009. Already, however, a three-tiered enforcement regime is taking shape. Regional reliability entities will shoulder the front-line burden, with the responsibility to monitor registered companies and conduct compliance audits. The ERO will act as a primary appeals agency, while FERC backs it up with a second stage of appeals and its review and enforcement authority.</p><p>This structure allows NERC and the regional entities to begin audits with minimal up-staffing. “We are satisfied the regional entities are equipped to handle their enforcement issues,” says Joseph H. McClelland, director of FERC’s office of electric reliability.—<span><span class="bolditalic">MTB </span></span></p><p> </p></div></div></div> </div>
</div>
</div></div></div></div></div><div class="field field-name-field-article-category field-type-taxonomy-term-reference field-label-above clearfix"><h3 class="field-label">Category (Actual): </h3><ul class="links"><li class="taxonomy-term-reference-0"><a href="/article-categories/security-reliability-cip">Security, Reliability &amp; CIP</a></li><li class="taxonomy-term-reference-1"><a href="/article-categories/smart-grid">Smart Grid</a></li></ul></div><div class="field field-name-field-members-only field-type-list-boolean field-label-above"><div class="field-label">Viewable to All?:&nbsp;</div><div class="field-items"><div class="field-item even"></div></div></div><div class="field field-name-field-article-featured field-type-list-boolean field-label-above"><div class="field-label">Is Featured?:&nbsp;</div><div class="field-items"><div class="field-item even"></div></div></div><div class="field field-name-field-image-picture field-type-image field-label-above"><div class="field-label">Image Picture:&nbsp;</div><div class="field-items"><div class="field-item even"><img src="https://www.fortnightly.com/sites/default/files/article_images/0801/images/0801-FEA1.jpg" width="1344" height="1500" alt="" /></div></div></div><div class="field field-name-field-fortnightly-40 field-type-list-boolean field-label-above"><div class="field-label">Is Fortnightly 40?:&nbsp;</div><div class="field-items"><div class="field-item even"></div></div></div><div class="field field-name-field-law-lawyers field-type-list-boolean field-label-above"><div class="field-label">Is Law &amp; Lawyers:&nbsp;</div><div class="field-items"><div class="field-item even"></div></div></div><div class="field field-name-field-tags field-type-taxonomy-term-reference field-label-above clearfix">
<div class="field-label">Tags:&nbsp;</div>
<div class="field-items">
<a href="/tags/cip">CIP</a><span class="pur_comma">, </span><a href="/tags/commission">Commission</a><span class="pur_comma">, </span><a href="/tags/congress">Congress</a><span class="pur_comma">, </span><a href="/tags/darren-highfill">Darren Highfill</a><span class="pur_comma">, </span><a href="/tags/department-homeland-security">Department of Homeland Security</a><span class="pur_comma">, </span><a href="/tags/doe">DOE</a><span class="pur_comma">, </span><a href="/tags/energy-policy-act">Energy Policy Act</a><span class="pur_comma">, </span><a href="/tags/energy-policy-act-2005">Energy Policy Act of 2005</a><span class="pur_comma">, </span><a href="/tags/enernex">EnerNex</a><span class="pur_comma">, </span><a href="/tags/epa">EPA</a><span class="pur_comma">, </span><a href="/tags/epact">EPAct</a><span class="pur_comma">, </span><a href="/tags/federal-power-act">Federal Power Act</a><span class="pur_comma">, </span><a href="/tags/ferc">FERC</a><span class="pur_comma">, </span><a href="/tags/grid-reliability">grid reliability</a><span class="pur_comma">, </span><a href="/tags/iee">IEE</a><span class="pur_comma">, </span><a href="/tags/ieee">IEEE</a><span class="pur_comma">, </span><a href="/tags/infrastructure">Infrastructure</a><span class="pur_comma">, </span><a href="/tags/kema">KEMA</a><span class="pur_comma">, </span><a href="/tags/nerc">NERC</a><span class="pur_comma">, </span><a href="/tags/nerc-critical-infrastructure-protection">NERC Critical Infrastructure Protection</a><span class="pur_comma">, </span><a href="/tags/nopr">NOPR</a><span class="pur_comma">, </span><a href="/tags/nrc">NRC</a><span class="pur_comma">, </span><a href="/tags/nuclear">Nuclear</a><span class="pur_comma">, </span><a href="/tags/nuclear-regulatory-commission">Nuclear Regulatory Commission</a><span class="pur_comma">, </span><a href="/tags/pjm">PJM</a><span class="pur_comma">, </span><a href="/tags/reliability">Reliability</a><span class="pur_comma">, </span><a href="/tags/reliability-standards">reliability standards</a><span class="pur_comma">, </span><a href="/tags/security">Security</a> </div>
</div>
Tue, 01 Jan 2008 05:00:00 +0000puradmin13864 at https://www.fortnightly.com